Join Log in
Score:0
avatar Server

Is there a (forensic) way to list past events/actions of a certain *.exe malware program (PUP-Proxygate, possibly a Trojan)?

jp flag
David.P

There is a folder with suspicious *.exe files on a Win 10 PC, and there are (external) protocols of potentially unlawful actions coming from that PC at a certain time in the past. The first suspicious action was network traffic to a sinkhole IP address typical for the Hupigon trojan, a second one (some days later) was posting an attempted scam on an Internet commerce platform.

The PC in question has been powered off by simply pulling the power cable shortly after the second action has been noticed.

Shortly afterwards, the PC was seized by local authorities (who had been notified about the second action by a potential victim of the scam).

A bootable image of the PC exists that has been pulled of the C: drive after the hard shutdown. The image already has been booted on a similar PC. A Trendmicro AV scan and subsequent Virustotal check has revealed (only) the following.

Trendmicro AV scan result: Trendmicro AV scan result

"Proxygate" folder with executable files: Proxygate folder with executable files

Virustotal check

What is PUP-Proxygate ("Potentially Unwanted Program")

How did I get infected with the ProxyGate adware

Internet Archive http://proxygate.net

How to Delete ProxyGate

Also, I have run a complete system scan of the system drive image of the PC in question, using Autopsy/The Sleuth Kit. However, I have no experience with further analysis using Autopsy, and would require assistance where to start: Autopsy/The Sleuth Kit scan result

I have the following list of event ID's that according to some AV security companies should be checked in the Event Viewer under the "Security" events:

1006, 1007, 1125, 4624, 4625, 4634, 4648, 4670, 4672, 4672, 4688, 4704, 4720, 4722, 4725, 4726, 4728, 4731, 4732, 4733, 4735, 4740, 4756, 4765, 4766, 4767, 4776, 4781, 4782, 4793, 5376, 5377

Is there any other way to look up whether any of the suspicious exe files has been active in any way at that time, and if yes, what it has been doing (e.g. opening files, accessing internet addresses etc.)?

Alternatively, is there a way to see any action of any program at the specific times in question (apart from searching Event Viewer)?

584
1 + 2
Tilman Schmidt avatar
bd flag
Tilman Schmidt
@anx You should enter that as an answer, not as a comment.
0
Reply
joeqwerty avatar
cv flag
joeqwerty
As a hypothetical question, this is fine. If you've been the victim of a breach, ransomware, etc. then contact your local law enforcement agency, contact your business insurance provider, and take no action that might destroy evidence. Disconnect from the internet and seek the guidance of people experienced in this. There are any number of companies that specialize in this arena.
2
Reply
Score:1
anx avatar Server
fr flag
anx

If you have to ask.. then it probably wont suffice for answering the interesting questions:

  1. are additional systems compromised?
  2. how & when did the original compromise happen, before the particular event that raised your suspicions?

There certainly are ways to setup systems so that they stream a fair amount of relevant events to a safe location (such that the logs cannot be retroactively modified), typically involving something like sysmon.

If you did not have that at the suspected time, there still is a chance there is some amount of useful evidence on the affected system itself. Depending on your environment and the skill & intentions of the malicious party, your best bet may be either one of

  • powering off the machine to prevent evidence to be destroyed or
  • prevent powering off the machine to prevent evidence to be destroyed.

A tough decision best made by a forensic expert. One you might want to contract anyway, because as you discover more details about this incident, it likely calls for procedures or skills you may not be used to.

0 + 4
jp flag
David.P
Thanks. To my knowledge, other systems have not been compromized. It is not known how and when the original compromise happened. This is what I'm trying to find out. I have added more detail to the question.
0
Reply
jp flag
David.P
[@]anx and [@]all, I have added all information that I have to date about the case.
0
Reply
anx avatar
fr flag
anx
While the details are mildly interesting.. as joeqwerty already hinted at, for the more practical questions about situations where its too late for applying sysadmin best practices, there is not much [this site](https://serverfault.com/help/on-topic) can help you with, beyond what is already mentioned in your [canonical question](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server/218019#218019)
0
Reply
jp flag
David.P
I am not trying to save something where it is already too late, but rather trying to understand how the malware could have infiltrated that PC, and if it really could have been this relatively harmless adware that has triggered those potentially criminal actions.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.